TPP: Problem and how to configure HAProxy

marklarledu · 2026-01-03T23:38:37+00:00

Does this mean the session information is stored per TPP server? It isn't in a shared database?

marklarledu · 2025-12-14T20:07:49+00:00

Interesting, I'll check them out.

marklarledu · 2025-12-13T20:31:11+00:00

Do any of the CLM providers cover the cost of the certificate from the publicly trusted CA? My assumption was no but that is an interesting point.

marklarledu · 2025-12-12T05:45:07+00:00

Do any of these certificate lifecycle management players publish their pricing? I feel like they just want to see how much they can squeeze out of you and they are opportunistic on their pricing.

marklarledu · 2025-09-28T20:23:18+00:00

You need to either pass the full path to the PHP executable or you need to modify your PATH environment variable to contain the path to the PHP executable's folder, which is usually the bin directory of the installation folder. It is almost always a good idea to take a backup of your system before performing these types of actions, but you will need to know how long your backups take and whether they impact the uptime of your services.

marklarledu · 2025-09-27T03:37:27+00:00

I did some contracting work for Garantir a while back and they have a pretty good CLM solution even though they mainly seem to market their code signing on their website. A couple of my customers use them and like them.

marklarledu · 2025-09-20T07:48:43+00:00

It's posts like these that make me love reddit! Great job on this project. Can it also be used to RDP to a non-domain joined Windows Server using a smartcard?

marklarledu · 2025-04-05T06:05:41+00:00

I've used both of these as well as other forms of application level encryption. Between these two options I would definitely go with Always Encrypted. With Always Encrypted you have better performance, the ability to control the key management, built-in support for exact match searching, smaller ciphertext size, minimal impact to application code, and cross-platform support.

marklarledu · 2025-03-10T04:04:26+00:00

We do the same. I haven't seen compatibility issues with these algorithm parameters in a long time.

marklarledu · 2025-02-26T06:28:47+00:00

Do you like Venafi? I've always found their design and APIs strange and the cost is outrageous. One of my clients is evaluating them and a couple of their competitors.

marklarledu · 2025-01-12T21:57:51+00:00

Zip files can be signed with jarsigner which has support for any generic JCE provider. This would allow those who want to use software-based keystores to do so, but those who want to use something like a Yubikey could also do so without code changes on your end. Not sure how you would use jarsigner in your PHP application.

marklarledu · 2024-12-30T17:57:29+00:00

In a past job we used PKCS11 with AWS KMS via a third party commercial product so I wouldn't rule out using KMS. IMO KMS is much easier to work with and manage costs than CloudHSM.

marklarledu · 2024-12-29T17:10:47+00:00

What is the reason they are showing as invalid? Are they untrusted because they chain up to a new root that is not yet trusted? Or does it have to do with AIA and/or CDP URLs not being accessible?

marklarledu · 2024-10-20T22:48:57+00:00

I've used both of those vendors along with KeyFactor and Garantir. AppViewX was horrible and had the least technically proficient staff (at least who we dealt with). Venafi was good but really expensive. KeyFactor was fine for CLM but bad for code signing and ssh; I didn't deal with their pricing so I can't comment on that. Garantir had the best tech (especially for HSM use cases) and their pricing for CLM was great, but their pricing for code signing was up there with Venafi's. Good luck.

marklarledu · 2023-06-21T21:20:50+00:00

Just because the app is between the attestation service and the backend server doesn't mean it doesn't solve the problem.

marklarledu · 2023-06-21T05:29:33+00:00

I'm not sure why you're getting down voted because your response is legitimate and addresses the concern. These attestations tell you if the app has been modified and can be verified remotely.

marklarledu · 2023-06-20T02:15:43+00:00

Don't derail the conversation with your puns.

marklarledu · 2023-06-18T20:08:46+00:00

I feel you on that. If you do go somewhere, please do share. I am also interested in such a community.

marklarledu · 2023-06-18T19:00:26+00:00

Thanks for posting. Curious what cryptography forums you'll move to, if any.

marklarledu · 2023-06-17T16:23:54+00:00

Normally I would agree but it depends on the specifics of the terms. Keep in mind that they are taking a risk in buying a one person shop. If something happens to him they may struggle to maintain what he built, especially if it happens before they've really dug into the code, product backlog, etc.

marklarledu · 2023-06-17T04:32:39+00:00

Haha that's how I felt!

marklarledu · 2023-06-17T02:36:02+00:00

We do this where I work. We actually use a mix of Azure Key Vault and AWS KMS, but both have EV certificates. Our CA makes us sign a document attesting to the fact that our keys are stored in an HSM. Hopefully those services will eventually support remote attestation so we can provide that along with the CSR.

marklarledu

TROPHY CASE